Wrong path to LDAP configuration file supplied in config option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sudo (Debian) |
Fix Released
|
Unknown
|
|||
sudo (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: sudo-ldap
As per debian/rules in the sudo source package, the configure script get passed:
This is clearly wrong, as README.LDAP state:
Configure your /etc/ldap.conf
===
The /etc/ldap.conf file is meant to be shared between sudo,
pam_ldap, nss_ldap and other ldap applications and modules.
In Ubuntu, the configuration file of nss_ldap and pam_ldap /etc/ldap.conf. /etc/ldap/ldap.conf is used by OpenLDAP client utilities, such as ldapsearch, lpdapadd, etc, and use a different format that the pam_ldap/nss_ldap config files. Thus, it make no sense to use /etc/ldap/ldap.conf for the LDAP configuration of sudo.
I think relying on the configuration file of another software package is really a problem with upstream, but we could fix it in Ubuntu by having the configure line discussed above changed to :
Changed in sudo: | |
status: | Unknown → New |
Changed in sudo (Ubuntu): | |
status: | Triaged → Fix Released |
Changed in sudo (Debian): | |
status: | New → Fix Released |
Confirmed, but it would be better to have /etc/sudo-ldap.conf rather than sharing it with the default /etc/ldap.conf (which might be used by other packages). This also because any serious sudo-ldap configuration would require a binding password/dn for accessing the records. Additionally /etc/sudo-ldap.conf must be root-readable only, otherwise it would be like leaking /etc/sudoers to all users, which is not desirable.